What should I do to improve NextCloud security? [Details inside]

šŸš§ Installation
1

Hello NextCloud forum,

Background Information
I recently went through this tutorial to set up NextCloud on the Raspberry Pi and found the install to go super smooth.

Now I know I can get NextCloud set up on my system I plan on doing a fresh install with the intention of hardening the security.

My Question
Is there anything that I should be doing when following the installation tutorial to tighten up my security?

I have seen a few people mention to not putting things in the default directory but I am not sure exactly what I would need to do when following the tutorial. If anyone could give me pointers that would be helpful.

Any other pointers you can give me to improve my security would also be very helpful.

Thanks in advance :slight_smile:

2

Thereā€™s a great documentation page for that right here. :slight_smile:

3

Hi @Bugsbane,

Thank you for being the only person stopping by and leaving a reply, itā€™s greatly appreciated!

I have read the documentation you liked to and it tells me exactly what I need to do to harden the security of NextCloud.

What I now need to know is how do I go about implementing those steps?

Could you point me in the right direction? Perhaps you could help me with some of the easier and quicker fixes?

Hope you can reply even if itā€™s just to say you donā€™t have the time to spare to help me.

Thanks again for the original comment :slight_smile:

4

Hi _1uke,

In addition I would still install fail2ban.
I have implemented it and it works fine :slight_smile:

Regards
Alex.

1 Like
5

Sharing some Details about your setup would help recommending security steps, as well as linking to tutorials.

Hereā€™s a good guide to installing/configuring fail2ban:

Then of course there is this:

Cheers

6

Hi @tux73

Thanks for your help and suggestion I found it useful and easy to implement

I followed this YouTube tutorial for adding Fail2Ban to my Raspbian install.

Could you take a moment to watch the tutorial and let me know if that is enough to protect myself when using NextCloud.

Thanks again for your help and support! :slight_smile:

7

Actually, thinking about it, the page I linked to is really the more advanced security stuff. The first thing that you should really check is that youā€™re using strong directory permissions (thereseā€™s a script on that doc page to do it for you). Just remember to adjust these before you upgrade (you can see how on the upgrade doc page)

1 Like
8

Hi @Andy_D,

Thanks for the reply,

I followed the link to your blog and tried to follow point ā€˜10.1 Make use of ramdiskā€™

However when I navigate my folder structure I donā€™t have the file or folder ā€˜fstabā€™ (See picture below)

Any idea why this might be missing?

Screen Shot 2017-03-24 at 08.31.53.png849Ɨ223 21.5 KB

9

Hi _1uke,

ā€œfstabā€ isn*t a folder. Itā€™s a fileā€¦

Regards
Alex.

10

Thanks for the reply @tux73

I am making some good progress with my security, I have moved my data folder out of the default location and I have also installed Fail2Ban.

I am currently doing my best learning how to cofigure the sshd_config:, jail.local and sshd.conf files.

Thanks for explaining the fstab file. I imagine from your picture that I am supposed to access the file via comand line?

I have tried using the command line. (See the examples below). But I am not having any success.

Could you let me know where I am going wrong.

Thank you for continuing to support me it is appreciated :slight_smile:

11

Against brute force attacks I can additionally highly recommend to change your SSH port, if this is the way you access your Pi.

Having the standard port 22 for this, fail2ban had a hard job, often banned IPs from around the world. I switched to another port about one year ago and had NO SINGLE brute force attempt since then. The standard brute force bots just try on port 22 ;). The only problem you might face, is that some opened internet accesses from work places, public institutions like universities etc. only allow outgoing connections on standard ports. My university i.e. allows port 22, but my new SSH port is blocked by them. But I anyway prefer to access my server from local network.

If your Pi is connected via router, you can simply achieve this by change the port forwarding in your router setting to forward the port of your choice to port 22 of your Pi.
Alternative solution is to change the port on the Pi, adjusting /etc/ssh/sshd_config and do #service sshd restart the use the new config. In case of course you also need to adjust the port forwarding afterwards.

To make SSH even more secure, you should consider to use key authentication instead of user/password:

  1. Use ā€œPuttyGenā€ on your remote system to create a key pair, better change key size to 4096. For more security but less comfort also save the key with some pass phrase.
  2. Store the private key somewhere hidden on your remote system.
  3. Login via SSH to your Pi, create the ā€œauthorized_keysā€ (see below) and copy paste the public key string that is given by PuttyGen:

mkdir ~/.ssh
nano ~/.ssh/authorized_keys

  1. Adjust the ssh config to allow key authentication:
sudo nano /etc/ssh/sshd_config
	RSAAuthentication yes
	PubkeyAuthentication yes

  1. In Putty settings add the private key, that you saved on your system before: Putty/Connection/SSH/Auth

  2. Try to access and see if key authentication works fine. If so, you can disable user/password authentication by changing the Pis ssh config again:

sudo nano /etc/ssh/sshd_config
    PasswordAuthentication no

If you use remote desktop or stuff like that to access you Pi, I highly recommend to use your SSH to tunnel these less secure connections. So the only opened ports need to be the chosen SSH port and of course 80+443 for web access.

12

According to fstab: It is located in /etc, where according to your terminal screen you are looking inside your users home directory ;).

Use ā€œ#sudo nano /etc/fstabā€ to access it, or file manager/leafpad/vi whatever you prefer.

13

Thanks for pointing me in the right direction @MichaIng

@MichaIng and @Andy_D

Since I struggled to access fstab, I certainly donā€™t feel confident enough to add the commands in this tutorial

There is a lot in there that I donā€™t understand and I will most likely get stuck ā€¦ or worse break something! :confused:

14

Just adding that lines will not break something. But as your Pis memory is limited, I would not mount /var/tmp to ram anyway. It is, as far what I found on search machines, often larger than /tmp and more for long term storage and therefore fits more to the hard drive on low ram systems like Pi. (Source)

To mount /tmp to ram on the other hand, there is another way on raspbian:

sudo nano /etc/defaults/tmpfs
	RAMTMP=yes

So add ā€œRAMTMP=yesā€. This may do exactly the same than manually mounting in fstab, dunno ;).

15

@MichaIng,

Not sure if I am understanding you correctly ā€¦ are you saying I shouldnā€™t mount /var/temp to ram?

I didnā€™t quite understand how doing that would have improved security anyway ā€¦ ? So perhaps itā€™s not a huge loss? :slight_smile:

16

Yes, in case of Raspberry Pi at least mounting of /var/tmp to ram will not have much performance benefit and otherwise could lead to performance decrease if ram is full, depending on how intense (amount of users) you use nextcloud or otherwise use your Pi.

And yes, it has nothing to do with security. Was already thinking how to topic moved to fstab :smile:.

On security see my larger post above ;).

17

I wrote a blog post about NC security with Apache. I shared it on this post

https://help.nextcloud.com/t/nextcloud-a-security-analysis/?source_topic_id=10513